Comments on: Eval is dead! Long live Eval!https://www.sitepoint.com/eval-is-dead-long-live-eval/
Learn CSS | HTML5 | JavaScript | Wordpress | Tutorials-Web Development | Reference | Books and MoreMon, 14 Aug 2017 11:54:00 +0000hourly1https://wordpress.org/?v=4.8.1By: Gavin Engelhttps://www.sitepoint.com/eval-is-dead-long-live-eval/#comment-31368
Tue, 09 Aug 2011 18:21:00 +0000http://153116770#comment-31368Did you discover a way to limit functions to eval by using a whitelist/blacklist?
]]>By: Crisshttps://www.sitepoint.com/eval-is-dead-long-live-eval/#comment-31367
Tue, 20 Jan 2009 09:35:52 +0000http://153116770#comment-31367Eval is a nice example of a thing that should never enter a scripting language which is meant to be secure.

It is incredible that nobody of the PHP developers has set an option to disable it (and also, it cannot be disabled with disable_function directive).

Along with a interesting toy for academic exercises, his is a real gift for hackers! Wowwwww!

]]>By: Jimhttps://www.sitepoint.com/eval-is-dead-long-live-eval/#comment-31366
Sun, 06 Apr 2008 14:21:28 +0000http://153116770#comment-31366Thanks. Zend Form looks like it might have the potential to what I need to do, though I’m not sure there is any open ended conditional (haven’t looked extensively enough).

Pre-written packages aside, I’d be curious to know what PHP function alternatives there are, and how someone can get around something like addslashes(). For example the system call injection didn’t work (of course, I didn’t test using that exact system call) when I used addslashes.

The cardinal sin with eval is letting it anywhere near user data. With that system you could very easily end up with a bug that resulted in users being able to inject php into your system, for instance by making %x=”system(‘rm -rf /’); 20′.

It looks like you have a straight-up validation problem, something solved by WACT’s form validation library (http://www.phpwact.org/wact/form_validation), or Zend or Symphony. Basically you want to move all of those snippets of eval’d code into small, light objects which you use to validate your user data.

]]>By: Jimhttps://www.sitepoint.com/eval-is-dead-long-live-eval/#comment-31364
Sun, 06 Apr 2008 05:50:48 +0000http://153116770#comment-31364What I am using eval() for is to do error checking based on some comparison/condition/whatever that is determined when calling the error checking function.

In other words, I would call check_error($user_input,$formula). And then I can have the conditional formula be something like “%x > 10” or “strtoupper(%x)==”ABC””… And %x is replaced with $user_input. Totally arbitrary examples, but the point is I as the programmer using the function need full latitude in choosing the conditional formula.

How else can I do this other than by using eval()? And what is the best way to cleanse the user input?

Thanks – Jim

]]>By: iDownloadhttps://www.sitepoint.com/eval-is-dead-long-live-eval/#comment-31363
Tue, 09 Oct 2007 17:24:02 +0000http://153116770#comment-31363Very interesting. But completely disable eval it’s not a good idea. It must be the way to limit it functionality using black and white list of functions. I am searching for it now… have anybody idea how to do that?
]]>By: ma214zdahttps://www.sitepoint.com/eval-is-dead-long-live-eval/#comment-31362
Tue, 25 Sep 2007 01:23:53 +0000http://153116770#comment-31362c749t
]]>By: sina salekhttps://www.sitepoint.com/eval-is-dead-long-live-eval/#comment-31361
Sat, 01 Jul 2006 11:01:33 +0000http://153116770#comment-31361i usually use eval to craete complicated classes. it really decrease number of codes, and help to make inherit from main class easily and with less code.
but the big problem is, eval is really slow with loops.
]]>By: C~https://www.sitepoint.com/eval-is-dead-long-live-eval/#comment-31360
Tue, 04 Apr 2006 19:24:26 +0000http://153116770#comment-31360I used Eval for dynamically loading code into an ircbot i wrote. As all the modules had to be classes there didn’t seem to be a way to add functions to existing classes so i had to use Eval to creat a new class and kinda add it to my existing one.
]]>By: sadihttps://www.sitepoint.com/eval-is-dead-long-live-eval/#comment-31359
Mon, 29 Aug 2005 11:00:14 +0000http://153116770#comment-31359I faced a of problem using eval() with javascrip. If there are php or
simple HTML code then eval is simply ok with me.But when ever i have
to deal with javascript i always found myself in shit. Can anyone
give me any way to use javascript contained code in eval()?I am
running behind my time in my project
]]>